Zerologon Attack Detection (CVE-2020-1472)

After a very hot July, especially fruitful for critical vulnerabilities (1, 2, 3), Microsoft’s Patch Tuesday in August went relatively quiet. Yes, once again more than a hundred vulnerabilities were patched, yes, 17 flaws were rated as Critical, and Microsoft didn’t point at bugs of the “We All Doomed” level. Although back then security researchers drew attention to Zerologon attack, the critical elevation of privilege flaw (CVE-2020-1472) that allows attackers to misuse the Netlogon Remote Protocol and gain administrator access to a domain controller. Basically, the discovered CVE-2020-1472 (CVSS score: 10.0) gave the way to fraudsters to take command over the captured Domain Administrator account.

Security update and mitigation of CVE-2020-1472

Microsoft plans to solve the security issue in two phases, radically modifying the connection of devices within corporate networks.

The first one, the Initial Deployment Phase, started on August 11, 2020. It will last until Q1 2020 and during this time, updates will be released. To warn the administrators about vulnerable Netlogon connections allied to CVE-2020-1472 Microsoft added new EventIDs, along with updates for affected versions of Windows Server.  Among them, the EventID 5829 was added to inform about vulnerable Netlogon connections. 

On phase two – the Enforcement Phace – which is planned to start on February 9, 2021, with the updates installed, the Domain Controllers will deny vulnerable connections from devices using vulnerable Netlogon secure channel connections, except for allowed by group policy.

Technical details and detection of Zerologon attack

Today security firm Secura has published the technical details behind Zerologon critical flaw, and evidence of the ease of exploitation of CVE-2020-1472 vulnerability has already begun to pour in. Now cybercriminals who compromised a system on an organization’s network can almost instantly gain access to a domain controller. Botnets such as Emotet or TrickBot, which provide access to infected systems to other groups, will become even more dangerous, and the time that ransomware gangs spend from the moment they sneak into the network until they start encrypting files will be significantly reduced.

Install the security update ASAP if you haven’t already. We also recommend downloading and deploying community rules by Adam Swan, our senior threat hunting engineer to detect Zerologon attacks: https://tdm.socprime.com/tdm/info/FgNYLnTxIVrs/7WbXfnQBSh4W_EKGaxL5/

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ELK Stack, RSA NetWitness, Splunk, LogPoint, Humio

NTA: Corelight

MITRE ATT&CK: 

Tactics: Lateral Movement

Techniques: Exploitation of Remote Services (T1210)

New rules for Zerologon attack (CVE-2020-1472 vulnerability) detection are being published at SOC Prime Threat Detection Marketplace.
Vulnerable Netlogon Secure Channel Connection Allowed by NVISO https://tdm.socprime.com/tdm/info/S4U7tNVmkwFr/Jp2DknQBPeJ4_8xcsU3h/?p=1
Anonymous User Changed Machine Password by Adam Swan, SOC Prime Team https://tdm.socprime.com/tdm/info/EPl2OKBmxbJ6/fHN5k3QBSh4W_EKG8VJB/?p=1#


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.